What is Mobile Security?

Jamf Now

Author: September 15, 2023 by Jesus Vigo

Source: https://www.jamf.com/blog/what-is-mobile-security/

Simply put, mobile security is the protection of smartphones, tablets and mobile computers (laptops) from security threats.

What is mobile security?

While it is typically defined in scope to specifically call out threats associated with wireless computing, this could be misleading as there are threat types that do not rely on wireless communications to be considered successful attacks, like device theft or exfiltrating data locally to a USB flash drive.

Why is mobile security important?

Similar to computer-based security, as more users and organizations come to rely on mobile technologies for communication, collaboration and working while on the go, mobile devices are increasingly being leveraged to contain, process and/or transmit sensitive data. While this bears little difference to desktop computers in usage, the difference for mobile security lies in that mobile devices provide new ways of performing personal and professional tasks, in turn introducing new forms of risk that endpoint security solutions designed for desktop computers may not and usually do not address comprehensively.

For example, given the nature of how mobile OS’s are designed, most malware targeting mobile devices thus far operate within resident memory once executed. Once a smartphone or tablet is power cycled, the memory is flushed, and the threat is removed until it is triggered once again. However, users seldom reboot their mobile devices, leading these threats to linger on, causing untold havoc.

Conversely, on desktop operating systems, malware works nearly identically, except that there exist multiple ways by which malware authors can establish persistence, allowing them to retain a foothold within the computer even after being rebooted. Therefore, endpoint security for desktop systems scans memory as well as the system itself for other Indicators of Compromise (IoC). Once identified, the remediation workflow executes to remove the threat.

Though both slightly differ, in the background there are significant differences in how endpoint security operates between mobile and desktop computing platforms. It is this difference, paired with the explosive growth of mobile security and the fact that, after all, mobile devices do utilize network connections to communicate with apps, resources and services over the internet, that poses a greater risk to securing data and end-user privacy. This includes acting as a conduit forfacilitating larger-scale network-based attacks – as well as future attacks being actively developed – if left unchecked.

Out-of-the-box, mobile security is not enough

Many who follow our blog know how pivotal security and privacy play when using technology. One of the leaders of this discussion arguably is Apple, whose commitment to both is witnessed in its consistent inclusion of security and privacy frameworks that serve as a tentpole of the platform.

In fact, since its inception on the iPhone by way of Touch ID, Apple has included the security and privacy framework into every piece of hardware – mobile and desktop computing alike – ensuring that anyone using a device across its entire product line will find the same level of protection. However, discussing mobile security requires Microsoft and Google, alongside Apple, and relates not just to smartphones but tablets and wearables as well.

Even with all their security-focused features in tow, ones like device encryption or biometrics as mentioned earlier, mobile security requires a comprehensive approach in order to keep mobile endpoints safe and ensure data security. This doesn’t imply an inherent weakness in the devices themselves but rather speaks to the nature of the evolving mobile threat landscape. Specifically, one that is impacted by dynamically occurring changes that are hard for organizations to keep up with. For example, in their rush to deploy mobile devices, many businesses overlook the following:

  • Critical security protocols that expose them to potential threats
  • Holistic endpoint security that addresses existing threats, as well as novel threats
  • Rigorous security hygiene procedures that begin with device provisioning and deployment
  • Ensuring mobile devices adhere to strong baseline settings
  • Adherence to security standards that are crucial for maintaining organizational integrity
  • Failure to meet/maintain compliance due to rapid adoption of cloud-based services
  • Lack of understanding increased risk factors associated with the rise of hybrid work patterns
  • How the expansion of native apps challenge the current enterprise mobility model

While we could go on about endpoint security in general, the focus of this blog is specifically on mobile security and how the growth of this segment has led to mass adoption at a global level. Furthermore, said adoption has fueled incorporating mobile technology into many different industries, from education with a 1:1 program for students to supply-chain andlogistics where they serve as invaluable tools to get supplies where they need to go fast and to remote/hybrid work environments in every industry, thanks in no small part to its blend of powerful computing and lightweight form factor. The ubiquitous design lends itself to helping users access critical resources at any time, from anywhere.

And therein lies the rub, doesn’t it? How does an organization manage mobile devices without diluting the powerful, yet easy-to-use platforms while at the same time not compromising security at the expense of convenience? Or how about the common tradeoff that occurs when incorporating security by ensuring that it does not compromise end-user privacy in an all-consuming aim to secure mobile devices?

As we’ve seen historically, sadly there’s usually a tradeoff when implementing a mobile security plan. The compromise to efficiently being able to work from anywhere is often mobile security as organizations typically fall into the trap of over-protecting or under-managing. Regardless of the category your company falls into, however, the end result remains the same: devices, users and data are left vulnerable.

By ensuring that data security and privacy are always at the forefront (and never an afterthought) of any process running on mobile devices, they don’t have to be.

How does mobile security impact organizations?

Like cybersecurity in general, mobile security affects multiple aspects of an organization — not just its devices, users or data — though these are certainly factors that are critically affected and often what you hear about most in the media. Some of the other ways mobile security impacts organizations are:

  • Loss of company integrity and its public perception/reputation
  • Ceasing of business operations and preventing business continuity
  • Leaking of confidential information, like trade secrets
  • Civil and/or criminal liability stemming from violating compliance regulations
  • Device compromises that lead to lateral network movements and subsequent data breaches
  • Unauthorized access to protected user data, like PII and PHI
  • Hindering the potential of mobile workspaces and distributed workforces

It’s important to note that, while any or potentially all of these security issues may impact your organization, this information is not intended to scare, but rather to inform. Being aware of the mobile threats that exist and how they impact organizations is the first step toward implementing a defense-in-depth strategy that holistically and comprehensively manages mobile devices while mitigating the current and growing list of mobile threats.

Types of mobile security threats

Below is a list of key threats affecting mobile security. By no means is this list exhaustive or future-proof but doesprovide insight into various types of threats so that IT and users alike have a better idea of the vulnerabilities and attack campaigns threat actors are currently leveraging when targeting mobile endpoints.

  • Phishing: Social engineering, or campaigns that leverage SMS, email, phone calls, social media and messaging software that tricks end users into divulging sensitive information, such as passwords, or gets them to click on malicious links to compromise mobile devices.
  • Malware: Malicious code or applications that compromise the security and privacy of endpoints and users respectively in order to achieve a particular means, or several of them, depending on the malware type or how they’re combined. Examples are:
    • Ransomware: Encrypts private data and prompts the user to pay a ransom for the decryption key or risk losing data forever.
    • Spyware: Gathers information on users, such as what websites they visit, logs keystrokes and copies cookies to allow actors to attack their devices and hijack their sessions.
    • Adware: Delivery of advertisements for products and services to get users to click on them to further compromise a device. Also used to deliver malware to devices.
    • Stalkerware: Similar to spyware, data gathering takes steps to include webcam, photos, telephone and text conversations to track user’s whereabouts, including leveraging GPS to physically track victims.
    • Cryptomining: A tiny program that utilizes hardware resources to mine cryptocurrency for bad actors. Reduces performance and may impact normal device operation.
    • Potentially Unwanted Program (PUP): While PUPs do not have to be malware, typically unwanted apps are packaged together, residing unbeknownst to the user on their device, possibly leading to greater security risks in the future.
    • Trojan: Programs that are masking their true intention, such as malware being repackaged as a legitimate app. Additionally, several trojan apps are legitimate apps that have been cracked (has their internal security broken) to include malicious code. These may be distributed via third-party app stores as free versions of commercially licensed software.
  • Loss/Theft: Mobile devices, by nature, are typically removed from offices and/or homes, taken to remote locations to work from alternative locations. This increases the likelihood that mobile devices are lost, misplaced or targeted for theft by criminals, placing the contents of those devices – sensitive data and privacy information – at risk of compromise.
  • Man-in-the-Middle (MitM): Also known as “eavesdropping”, this attack is quite common wherever unsecured Wi-Fi hotspots are available. This allows unsuspecting users to connect to unencrypted wireless networks, where attackers may intercept their communications and/or leverage it to gain access to their devices.
  • App Permissions: Granting app permissions to resources is not uncommon nor a big cause for concern generally. However, when apps are granted improper permissions or these apps abuse the permissions granted, this may lead to violations of privacy and/or data exfiltration.
  • Patch Management: Updates to apps, the operating system and hardware components are made available by developers to fortify the software and hardware, protecting it against known attacks by mitigating vulnerabilities. Without updates in place, devices and apps may become vectors for attacks, compromises and further data breaches.
  • Weak/No Passwords: Weak passwords that are easily guessed, not changed from their default or simply not enabled at all represent the “low-hanging fruit” for bad actors. Sometimes, the only protection standing between a compromised device and one that has not been compromised is a strong, unique password to keep data safe.
  • Encryption: Fitting hand in glove with weak/no passwords and device loss/theft above that, encryption is often considered the last bastion of security when a device is no longer accessible. Whole disk encryption scrambles the internal data using powerful algorithms that are nearly unbreakable (or may take a few thousand years, give or take) when a strong, unique password is enabled, utilizing multiple key spaces for greater complexity.
  • Unsecured Connections: Open Wi-Fi hotspots do not offer any security protection – just internet access. This leaves your devices, data and the network connection being used to communicate all open to threats. It also leaves the resources you’re connecting to on the other end open to attack as well. Securing untrusted connections via VPN encrypts transmissions and connects to endpoints within a secure tunnel to keep free from unauthorized access. Zero Trust Network Access (ZTNA) offers the security of a VPN, while also providing device health checks before granting access each time a resource is requested.
  • Misconfigurations: Misconfigured devices, those that have kept default configurations in place or have fallen out of compliance are at a greater risk of being compromised by threats than those that have been hardened against common threats by limiting the available attack surface of your mobile device.

Benefits of having a mobile security solution

Let’s start with the most obvious reason, though it may seem like two reasons, they both go hand in hand as mobile device adoption rates worldwide have and continue to grow at breakneck speeds.

Just how deep is mobile penetration, you ask? According to a survey performed by Statista, in 2023, “the current number of mobile phone users is 7.33 billion, which makes 90.97% of people in the world cell phone owners.” If we factor out feature phones, choosing to only account for smartphones, then “the current number of smartphone users in the world today is 6.92 billion, meaning 85.88% of the world’s population owns a smartphone.”

That figure represents only smartphones. Despite taking a majority of the market share in the mobile device space, it still leaves out other popular device types, such as tablets and wearables, like smartwatches. Each of these devices are also being utilized by users for personal usage as well as at work.

Each mobile device that:

  • Processes business data
  • Uses work-related apps
  • Accesses organizational resources
  • Connects to company networks

Even if doing so alongside apps and data for personal use, that isn’t properly managed and secured, poses a risk to the enterprise, compliance and the user’s privacy.

A comprehensive mobile security strategy — one that integrates alongside your existing Mac environment — that provides a holistic management and security plan ensures that:

  • Protection extends uniformly across the infrastructure
  • All endpoints are secured against modern and evolving threats
  • Business resources and user privacy data are safeguarded, regardless of whether devices are company- or personally-owned
  • Users can work from anywhere, on any device and over any network connection securely
  • Ever-increasing risks impacting devices, users and data are effectively mitigated
  • Organizations maintain compliance with regulations

Types of mobile security solutions

If you haven’t guessed yet, there are a lot of real and potential threats affecting mobile security. And if it continues its rate of growth, it is estimated that approximately 8+ billion mobile devices will exist globally by 2024. While it’s unlikely that every single one of them will be attacked, any attempt to quantify a figure will be pure speculation given the number of variables.

What is known are the mobile security solutions available, how they work and why they’re necessary to protect your mobile fleet and keep your users, devices and data safe and secure.

  • Zero Trust Network Access: ZTNA as its referred to, secures network communications similar to VPN, while providing additional safeguards that protect resources, such as apps and services. With built-in device health checking, IT gains granular insight into devices, including patch levels, if devices are compromised or affected by malware and whether they meet organizational requirements, before access to individual resources is approved. Resources are segmented from others for the purposes of maintaining security; this way, if a user’s access has been compromised for a particular app, only that app is affected and users may continue to work on other resources without fear of lateral movement compromising other resources. Devices failing health checks are denied access, then placed into remediation where the issues are mitigated before access can once again be granted.
  • Mobile Endpoint Protection: Preventing malware is just one part of the mobile security equation. Mitigating threats from phishing, by identifying and blocking domains that leverage malicious URLs in their campaigns and zero-day attacks is a significant step forward in protecting your mobile fleet. Further security from network-based attacks, such as MitM, as well as compliance checking that allows organizations to align requirements to Acceptable Use Policies (AUPs) to minimize misconfiguration of settings through policy-based management further strengthens your device’s security posture and that of your infrastructure – regardless of whether it is local, cloud-based, public and/or private – or a combination thereof.
  • Website Content Filtering: Implementing intelligent content filtering of malicious websites to not only minimize the threat from phishing websites, but additionally the reduction in legal exposure from inappropriate use and/or illicit websites while leveraging network-aware security controls that safeguard cellular, wired, roaming and Wi-Fi connections provide an additional layer of protection. Seamless scaling across multiple management models, such as BYOD/CYOD/COPE, for enforcing AUPs on company-owned and personally owned devices alike ensure that organizational resources are protected equally as is end-user privacy – not at the cost of one another.
  • Patch Management: No device management would be complete without discussing the apps and devices through their lifecycle. Ensuring that both are sourced and updated, that critical configurations are set properly and consistently across all device types, all while providing a centralized management platform that allows end-users the flexibility to do their work from anywhere, at any time without placing limits on their efficacy – and simultaneously permitting IT and Security teams to quickly respond to any number of issues in real-time. And let’s not forget the capability of supporting the very latest security features, new functionality and software updates from day one.

Why your mobile devices need as much attention as your Macs

If your company secures Mac computers, why are you not securing mobile devices?

Regardless of your industry or regional location, organizations worldwide have and continue to adopt Apple devices for work. Consider that less than two years ago in 2021, Apple’s annual revenue was $365.8 billion dollars! The percentage of that revenue generated from iPhone (51.9%) and iPad (8.8%) combined sales was 60.7%. The Apple Watch alone sold more than iPad and Mac (9.8%) individually, accounting for 10.4% of the total revenue.

There’s clearly a demand for mobile devices running iOS and iPadOS, among others running Windows, Android and Chrome OS. More devices equals a higher potential of introducing risk into your organization.

If they are different, why do they need the same level of security?

Well, they are computing devices after all and more to the point, ones that utilize and rely upon the same types of apps, services and processes to get work done safely and securely. Sure there are differences in the ways which mobile device and desktop computer operating systems handle certain processes or the workflows by which users can be productive within these respective OS’s, but make no mistake — they share just as many similarities when it comes to data security as they share differences — making it critical for admins to embrace the similarities while minimizing the risk that the differences could introduce if left unchecked.

How do mixed environments, using personally- and corporate-owned devices, impact mobile security?

For organizations that do not have a mobile device security plan in place, the reality is that there is little difference discerning personally-owned devices from corporate-owned ones when viewed through the lens of risk management. Without the comprehensive protections in place to prevent malware, secure network connections or separate business data from personal data with segmented and encrypted volumes, organizations will experience great difficulty in determining if device meets compliance, is authorized to access sensitive resources or has opened the door to a data breach after a unpatched vulnerability has been exploited by threat actors.

In other words, IT and Security teams lack the necessary insight into device health in real-time to truly understand the security posture of the devices themselves or how that impacts the organization’s overall security posture.

Now, let’s flip this around. Your organization does have a mobile device security plan that’s integrated alongside the larger, holistic security plan. How does that change things?

For starters, there’s protection against modern threats. Not just ones that impact desktop or mobile operating systems, but rather all supported platforms — regardless of the device type or ownership model. Next, there’s coverage that protects the infrastructure comprehensively. It spans across devices, users, resources and data repositories to ensure that security is a fundamental requirement that is addressed top to bottom and end to end.

What are the use cases for mobile?

It used to be that mobile devices were not really used by consumers, let alone for business. This goes back almost a decade until the smartphone began to gain the interest of enterprise users, like those that relied on Blackberry to communicate over IM and email while on the go.

With the release of the first iPhone in 2007, users took to the sleek device with its promise of desktop-like features without carrying around a laptop or something far heavier. Years later, the rise of native mobile applications, increased adoption of cloud-based services and greater performance and efficiency have effectively placed a thin, lightweight computer in the pockets of billions of users globally.

Mobile devices have expanded since then, to encompass tablets and smartwatches, to greater fanfare and some incredibly simple yet powerful workflows that help keep users productive — working smarter, not harder.

Any scenario is a use case for mobile. That said, some of the more commonly seen ones by industry are:

  • Healthcare: Health practitioners have taken to mobile technology to perform wellness checks through tele-health sessions with patients.
  • Education: Students rely on 1:1 programs that have transformed how teacher’s deliver lessons while effectively exchanging multiple books, paper, pencils and other materials for a tablet.
  • Logistics: Cloud-based services combined with tablets and smartphones allow teams to manage inventory, ensure manifests are accurate or track product shipments anywhere across the globe.
  • Retail: Large, clunky POS systems and antiquated credit card imprint machines have given way to thin, large screened mobile devices that simultaneously handles sales transactions, keeps a database of customer information, provides up-to-date inventory data in real-time and does it all with a tap or two.
  • Finance: The FinTech industry has adopted mobile in ways that make it easier than ever before for consumers and businesses to keep track of their financial standing and myriad investments, all without having to stand in line at the bank.
  • Sales: Long the trappings of the road warriors, mobile devices lend themselves to greater performance while sipping battery power and allowing teams to keep in contact from just one, lightweight device.
  • Aviation: Pilots must carry nearly 40lbs. of documents, like navigational maps and aircraft manuals in their kitbags. With the adoption of tablets, the clutter and weight was reduced to 1.5lbs as part of their electronic flight bag.

Why is now the right time to invest in mobile security?

When it comes to security, there’s an aphorism, more anecdotal in nature that identifies the time before a security incident as being the time when businesses do not feel the need to invest in protection because it’s deemed an unnecessary expense…until a security incident occurs and then, businesses are much more willing to throw money at the incident in order to make it go away.

Simply put: when things are quiet, it’s easy to lose sight of the good endpoint security is doing because security incidents are being mitigated.

Another way of looking at it is that the best time to invest in mobile security is not when your organization is under attack, but rather when IT and Security teams can work together to properly implement the technologies they require to address the unique requirements of the organization without hasty measures being taken to “clean up the mess as quickly as possible.”

Conclusion

Mobile security is a critical, sometimes mismanaged and often overlooked aspect that is part of a greater, holistic security plan. One that comprehensively protects devices, as well as users and business resources, from the modern threat landscape that includes current and novel threats.

Exacerbating the mobile security dilemma is the fact that user adoption of mobile computing devices continues to rocket with global adoption rates that are second to no other hardware technologies. The increase in devices married with the advancements in mobile technologies means that greater usage and reliance across platforms and touching just about every industry.

When combining the above with continued business migrations toward distributed work forces and the increased targeting of mobile devices by threat actors, organizations shouldn’t want to protect their entire fleet of devices — company- and personally-owned alike — from threats…they need to protect their infrastructure to remain compliant and keep resources safeguarded.

And one of the keys to protecting your environment lies in the integration of mobile security alongside your existing security strategy to ensure there are no gaps in protection — just seamless security that protects all your endpoints without compromising the efficacy of solutions or impacts to user privacy while upholding the user experience.

Mobile security is a critical part of your infrastructure

and should be integrated alongside your existing security plan.

by Pieter Beckmann

Security in small business with Jamf Now

Jamf Now

Author: August 18, 2023 by Hannah Hamilton

Source: https://www.jamf.com/blog/security-in-small-business-with-jamf-now/

As a small business owner, you have to wear many hats: manager, CEO, accountant, marketer, front-desk worker—the list goes on. And yet there’s one more hat to don: security specialist.

As complicated as the security world is, keeping the growing business you worked hard to build safe and secure doesn’t have to be. Jamf Now can help the smallest teams manage work devices while helping to keep them secure.

Learn about the basics of Apple Device management for small businesses.

Read e-book.

Does my small business need security?

Short answer: definitely! Cybersecurity threats are not just for large companies—in fact in 2021, according to StrongDM, 46% of all cyber breaches affected businesses with less than 1000 employees. And 61% of small businesses were targets for a cyber attack; that’s more than 3 in 5 businesses!

Cyber attacks come with a price. Businesses can lose valuable customers and opportunities as their technology is disabled while recovering from an attack. Intellectual property, customer information and company data can be stolen. Companies can take financial hits upwards of tens or hundreds of thousands of dollars. Not to mention that if appropriate action isn’t taken after an attack, they can happen again and again.

But maybe you’ve already looked into security measures to protect your investments. And indeed, most small businesses have implemented firewalls, antivirus protection and backups. Certainly, these practices are good to have. But are they enough?

Building a cybersecurity strategy

The National Institute of Standards and Technology (NIST) puts out what many consider the “gold standard” for cybersecurity frameworks. This framework breaks down a cybersecurity strategy into these parts: identify, protect, detect, respond and recover. Let’s briefly dive into these pillars and examine how Jamf Now can help your small business.

Identify

To defend your company data, it’s critical to identify:

  • Who has access to your business information
  • What devices and apps are connected to your resources
  • Who is accessing your information at a given time

Jamf Now helps you keep a device inventory of all company-owned devices, and gives you insight about device settings and their security status. Shared devices running iOS or iPadOS can even be locked into Single App Mode, preventing any devices from being used for purposes other than for work. For Macs, the Self Service and app deployment features allow you to allocate company-approved apps, reducing the risk of employees downloading unapproved software and other shadow IT practices.

Another feature of Jamf Now that helps enable security is Password Sync for macOS. This feature for Azure AD and Okta keeps accounts that access your company resources secure by requiring multi-factor authentication and strict identity verification—in other words, it keeps your information in the right hands while keeping track of who is granted access.

Protect

One of the simplest and effective ways to keep your devices secure is to stay on top of software updates. These updates don’t just include the latest software innovations; they can also include critical updates to address vulnerabilities that can compromise your security posture. Jamf Now can deploy updates to any or all of your devices.

Beyond updates, Jamf Now can:

  • Configure Wi-Fi, email, calendar and contacts so there’s no guessing accounts are set up correctly
  • Encrypt device data
  • Ensure passcodes and passwords meet security requirements
  • Remotely lock, unlock and wipe devices in case they get lost or stolen

Detect

Even organizations with large security teams can fall victim to a cyber attack. When prevention falls short, reliable detection of threats mitigates or minimizes the impact. Jamf Now includes built-in malware prevention and detection software to identify threats. This software relies on expert research and third-party feeds about the latest malware.

Respond and recover

Jamf Now’s malware detection feature also quarantines any potential malware, allowing for appropriate action to be taken. This built-in functionality helps prevent malicious software and other threats from running on your Macs.

Getting started

Even though Jamf Now offers complex features, setting up your application doesn’t have to be complicated. Jamf Now offers quick setup and ease of use without requiring an IT team. You also start with built-in Blueprints to help you configure your systems right out of the box; you also have the flexibility to create custom Blueprints to meet your business needs.

Your first three devices are free—give Jamf Now a try.

by Pieter Beckmann

G2 Summer 2023 Report

Jamf Now

Author: July 18, 2023 by Jesus Vigo

Source: https://www.jamf.com/blog/g2-jamf-reviews-2023/

It brings us immense pride and appreciation to announce that we have received the highest accolades in the Summer 2023 Report, a publication by G2, the prominent tech marketplace and peer-to-peer review platform.

G2 scores products and vendors based on authenticated community reviews, aggregated online and social network data points, and algorithmic calculations of satisfaction and real-time market presence. You can find a detailed explanation of the report scoring methodology here.

Jamf continues to be ranked a leader with our mobile device management (MDM) solutions, Jamf Pro and Jamf Now, along with the authentication and identity management solution Jamf Connect. Endpoint management solution Jamf Protect continues to be a high performer, with Jamf School also making its debut on the MDM list.

Highlights from the G2 Summer 2023 Report

Jamf product solutions scored well in G2’s Summer 2023 report, with first-place rankings in 30 categories plus other high marks for Jamf Pro, Jamf Now, Jamf Protect, Jamf Connect and Jamf School.

Jamf Pro

Continues to reign as a Leader and #1 in 29 categories. Products in the Leader quadrant are rated highly by G2 users and have substantial Market Presence scores.

Highlights included:

Jamf Connect

Ranks in 16 categories overall while serving as a Leader in 3 grid reports.

Jamf Now

Ranked in 16 categories overall, and designated as a Leader in 2 grid reports.

Jamf Protect

Ranked in 9 categories while also making the cut as a Leader in 2 grid reports.

Jamf School

Making its first appearance in the G2 Summer 2023 report, ranking in 5 categories.

Don’t take our word for it…

Read what customers have to say about our solutions in G2’s profile of Jamf and how we’ve empowered them to not just meet their compliance goals but how Jamf solutions have and continue to “help organizations succeed with Apple” through holistic, comprehensive security of their Apple fleet – while maintaining user privacy.

You’ve heard from the rest, now it’s time to try the best!

Get started with the free trial and let Jamf help your organization succeed with Apple too.

by Pieter Beckmann

What can you do with Managed Apple ID?

Jamf Now

Author: May 18, 2023 by Laurie Mona

Source: https://www.jamf.com/blog/how-to-use-managed-apple-id/

Every organization that uses Apple devices needs to understand how to make the best use of Apple IDs, whether personal or managed. Apple IDs are the key to unlocking the potential of every Apple product and service. You need Apple IDs to:

  • Access key Apple services – e.g. App Store, Apple Music, iCloud
  • Manage an account across all of a user’s Apple devices and services

Although individuals who use Apple devices for their personal use may also use their personal Apple ID for work devices, there are advantages for businesses who create Managed Apple IDs for their employees.

Manage your Apple devices with Jamf Now or Jamf Pro.

Jamf Now and Jamf Pro

Why are Managed Apple IDs important?

To fully appreciate the advantages of Managed Apple IDs, it helps to understand the purpose of Apple IDs. An Apple ID is created by an individual to be used to authenticate and log into a device. It stores user settings that the device will recognize when that ID is used. While these IDs are primarily created for personal use, until recently they were also used on company-owned devices.

Using personal Apple IDs for work-owned devices creates challenges because the device management processes were designed for personal use, not the business world, including how to handle updates and personal information. But using business emails as personal Apple IDs for work creates issues as well, including the too common problem of when an employee leaves the company, but the locked device remains.

The solution: Your company can create Managed Apple IDs to better manage and secure the devices employees are using for business purposes.

Managed Apple IDs are accounts designed specifically for businesses and schools that enable access to key Apple services. Unlike with personal Apple IDs, IT administrators can manage the services that your Managed Apple ID can access.

These free services unlock the benefits of tools to help those who manage Apple devices, helping you automate and simplify the deployment, management and security of the devices. These tools can help you standardize employee onboarding and offboarding, and use Apple ID for business as designed.

Managed Apple IDs are unique to your company and separate from Apple IDs that you can create for yourself. You can associate your Managed Apple ID with the same email address and phone number as your personal Apple ID.

Creating and using Managed Apple ID

While managed Apple IDs can be made manually using Apple Business Manager (ABM) or Apple School Manager (ASM), most organizations will use a federated authentication method to centrally manage organizational identity.

Federated authentication is currently supported by a link to Azure Active Directory (Azure AD) or Google Identity via a supported Google Workspace domain. Azure AD can be further federated to other identity provider solutions (Okta, OneLogin, etc) through a WS-authentication or SCIM connection. A paid subscription is not required for Azure AD for federation.

A Managed Apple ID allows a mobile device management (MDM) solution like Jamf to provide a feature called User Enrollment. Introduced in iOS 15 and iPadOS 15, User Enrollment allows a simplified workflow requiring only an organization email address and password.

User Enrollment works with either Google Workspace or Azure AD managed by either Apple School Manager or Apple Business Manager and a third-party MDM solution. To take advantage of synchronization with Google Workspace or Azure AD and User Enrollment, your organization must first:

  • Configure Google Workspace or Azure AD
  • Prepare for federated authentication with additional configuration if you have a local version of Active Directory
  • Sign up your organization in Apple School Manager or Apple Business Manager
  • Set up federated authentication in Apple School Manager or Apple Business Manager
  • Configure an MDM solution and link it to Apple School Manager or Apple Business Manager
  • (Optional) Create Managed Apple IDs

The user’s personal device will be under limited control for the privacy of both the organization as well as the private, personal information of the device owner. For Bring Your Own Device (BYOD) employees, this company-specific managed ID allows employees to maintain privacy and separation from their personal Apple IDs.

As security of private data faces new threats, User Enrollment with Managed Apple ID enables true data separation, with enterprise iCloud data kept separate from personal iCloud data.

Using Managed Apple IDs by device ownership type

It’s important to consider the type of device ownership your employees have when looking at Managed Apple IDs.

  • Bring Your Own Device (BYOD) – If employees are providing their own personal devices, enabling usage of iOS or iPadOS devices – via User Enrollment — requires Managed Apple IDs.
  • Corporate Owned devices – All device types that are corporate-owned can be used with Managed Apple IDs.

You also need to consider whether devices will be used 1:1 or will require shared access.

For shared devices, Managed Apple IDs can be used to enable roles delegation to allow access to specific resources and applications assigned by role.

Opening up IT Admin control

Your IT team either manually creates Managed Apple IDs in ABM/ASM or through a federated authentication method and manages them from that ABM/ASM portal. This means your employees won’t have to worry about creating their own Apple IDs, managing those Apple IDs or downloading the tools and software they need. All of this will come from IT, Apple’s free programs for app purchasing and device enrollment and will be deployed through your MDM; this results in more control over devices as well as a smoother onboarding and off-boarding process.

Your IT team will also have control over creating and managing the Apple ID used for Apple Push Notification Services (APNs) certificates.

Device processes your IT Admins will be able to control include:

  • Restricting access to accounts
  • Removing accounts
  • Updating account information
  • Pushing content
  • Assigning roles and privileges
  • Sharing of iPads with Managed Apple IDs
  • Managing Contacts, Calendars, Reminders, iCloud Drive
  • Specifically for schools: allows usage of Apple’s Classroom App for class management

Why Managed Apple IDs are important for business and schools

More benefits of using Managed Apple IDs in your organization include:

  • Increased security: This layer of management provides a wholistic view and understanding of what is being put on the devices (e.g. apps, books, content). Because all apps and tools are pushed by IT and ABM/ASM, each app can be properly vetted before deploying to devices. This allows you to verify that every tool is secure, prevent employees downloading unsecure or rogue applications and ensure that all company and client data is only backed up and saved in places you approve.
  • Less work for end user: With IT managing their account, employees don’t have to worry about managing it. Not only do users not have to feel responsible for managing their credentials and day-to-day management, but Managed Apple IDs also offer enhanced collaboration across apps. Ease of collaboration helps your employees get more done, more effectively and help you achieve your business goals.
  • IT control over devices: With Managed Apple IDs managed by IT, troubleshooting is easier as you don’t have to rely on employees to remember their Apple ID credentials. Not to mention, when employees leave your organization, there’s no risk of being unable to access the device because you don’t know the credentials. Non-federated Managed Apple IDs also enable utilization of IT as a “service account”; APNs that aren’t linked to an individual’s Apple ID prevent issues if IT staff leaves.

Improving your bottom line with better management

After weighing the pros and cons, your organization may realize it’s time to use Managed Apple IDs to simplify your device management and security. Designed by Apple, for Apple devices, it’s one more way to make life easier for your organization, your IT department, and ultimately your end user.

Try Jamf today!

by Pieter Beckmann

Verify Apple ID domains with ABM

Jamf Now

Author: April 10, 2023 by Hannah Hamilton

Source: https:https://www.jamf.com/blog/verify-apple-id-domains-with-abm/

Creating managed Apple IDs in Apple Business Manager (ABM) provides your organization with a convenient authentication solution with Apple at Work. Administrators can use their own company domains for their managed Apple IDs; to take advantage of this feature, admins must verify their company owns the domain associated with their ABM account.

Why do you need to verify your domain to use ABM?

Since using a given domain requires modifying the DNS record for the domain, it’s important to ensure your organization has the authority to do so. Domains can only be verified by one organization, so this process should be completed in 14 days once the process is started. If you are unable to verify your domain, it’s possible to use reserved domains that Apple generates automatically based on the website used when signing up for ABM.

How to add your domain to ABM

To add your domain to ABM:

  1. Sign into ABM as an administrator or people manager.
  2. Select your name at the bottom of a sidebar, select Preferences, then Accounts.
  3. In the Domains section, select Edit, then Add Domain.
  4. Add the domain you want to use, then select Continue.
  5. Select Verify next to the domain. From here, a TXT record appears stating the domain is in the verification process; the record has a string with random characters at the end.
  6. Select Copy and paste the TXT record into a zone file.
  7. After the TXT record is added, finalize the verification process by going to Accounts in ABM, locating the domain, and selecting Check Now
  8. After the domain is verified, the TXT record can be removed from the zone file.

Ready for some first-hand experience with our solutions?

Sign up for a free trial of a Jamf MDM.

by Pieter Beckmann

10 things to consider when switching MDM providers

Jamf Now

Author: April 10, 2023 by Sam Weiss

Source: https://www.jamf.com/blog/10-things-to-consider-when-switching-between-mdm-solutions/

As the foremost Apple-first, Apple-best mobile device management (MDM) solution, we at Jamf have seen the competition come and go. Apple device management can be a complex affair, and many MDM startups fail as a result of trying to offer too much. With Apple technology constantly evolving – and organizations’ needs always changing – there’s a good chance you may outgrow your MDM vendor’s capabilities. Switching MDM solutions can be a daunting prospect, but given the headaches your current solution might be causing you, it could very well be worth it.

What are some things to plan for when you switch MDMs? How can you work around limitations between providers? Do you really need to wipe all the devices in your environments?

The best piece of advice we can give you is to plan thoroughly. Use our MDM Migration Guide to start planning. And if you’re still feeling overwhelmed, Jamf offers migration services to help plan and execute this move. Either way, Jamf has your back.

Below are 10 specific questions to ask yourself when you switch MDM vendors. These are critical to consider if you want to save time and guarantee a positive end-user experience.

1. Logistically, how do I enroll user devices into my new solution?

Using Apple Business Manager or Apple School Manager and an MDM solution, end users can automatically enroll and configure new devices without requiring hands-on support from IT.

When using these deployment tools, you will log into the portal and either move your entire token to your new MDM or create a new MDM server entry and move your devices to that new token. The next time your devices are wiped, they will enroll into your new management system.

2. Do I need to wipe my iOS devices?

iOS devices can be “supervised,” which simply means that administrators of an MDM solution control many settings of the device. Apple Configurator or Automated Device Enrollment (ADE) used with an MDM solution enables supervision.

Moving a supervised device between MDM vendors means wiping the device. However, if you follow Jamf’s guide for switching MDMs, you can speed this process by sending a wipe command to your devices after moving your server token in Apple Business Manager or Apple School Manager. Many schools have their students assist with this process.

3. What should I do about iOS devices that are not in Apple Business Manager or Apple School Manager?

It is common for organizations to have iPads that were procured through several routes. While it may be tempting to purchase iPads on clearance from your local big-box store, it can make management tricky. And if you’ve found a way to band-aid this by leveraging user-initiated enrollment, moving to a new MDM is where those band-aids will start to fall off. Fortunately, Apple has provided a way to enroll these devices into your Apple Business Manager or Apple School Manager account. Beginning with Apple Configurator 2.5, you can enroll iOS devices regardless of where they were purchased. Once a device is activated, a 30-day provisional period begins. After the 30 days, these devices will act just like the other devices you have in Apple Business Manager or Apple School Manager. Pro tip for schools: Start this process more than 30 days before the beginning of classes so students can’t remove themselves from management.

4. What about Mac; do I need to wipe those?

There are several ways to enroll a Mac into an MDM, and wiping doesn’t necessarily have to be involved. If the MDM profile is removable (either by the user or the previous management solution), devices can be enrolled to Jamf without requiring a wipe. Users can either self-enroll with a URL or run a small file to bring their device into Jamf. If you are interested in moving MDMs and not wiping your Macs, talk to us and we can help.

5. What about my users’ data; how do I ensure that data moves if I have to move my devices?

Here are several types of data that might be on the device, along with the details you need to consider for each one:

  • Mail: If your mail accounts are Microsoft Exchange or IMAP servers, once the new account is pushed to the device with a new configuration profile the devices will resynchronize all data. Depending on how much data and how many devices you have, this could be network-intensive and users may experience a delay while this content returns.
  • Photos, Notes, Messages: If your iOS users are either using iCloud sync services or iCloud backup, you can rest easy that their content will sync just as if you’ve recently upgraded iPhones. If you have prohibited iCloud backups as a corporate policy, you may be able to run a local iTunes backup to your machine.
  • Apps and App Data: Certain apps use iCloud to sync data, but be wary of apps that only use local storage. If you are using an iCloud restore you may be in the clear, but double-check this if you have business-critical apps.

If you were getting managed app distribution licenses through Apple Business Manager or Apple School manager, don’t fret! Your organization retains ownership of these licenses, and you can easily redistribute them using your new management solution.

6. How do I move my apps over to the new MDM?

As mentioned above, Apple Business Manager or Apple School Manager are keeping track of your license purchases and are tied to a token. You can move this token to your new MDM, reclaim your app licenses and start deploying.

The moment a license is revoked from the device, a few behaviors kick in. Some app vendors have a 30-day grace period for app licenses to be reinstated, and some will remove the app immediately. Keep in mind that any supervised iOS devices will need to be wiped anyway, so this may not be a huge concern, but this does stress the point of having a planned-out deployment. Consult the migration guide linked at the beginning of this blog post for detailed help with this issue.

7. Is there a way to protect my network from increases in traffic volume during re-enrollment?

Depending on what apps and content you are pushing to your devices and the location of your end users during re-enrollment (on-network or off), you may see large amounts of network traffic during this time. Some of this traffic is caused by the iOS devices downloading apps directly from the App Store. As a general best practice, we recommend only pushing required apps and encouraging users to leverage Self Service to get other apps at a time that is best for them (and not during a massive enrollment event). However, a Mac acting as a local caching server may help to relieve some of this network congestion. When properly configured, the caching server will deliver App Store content to devices on your network, without having to reach across the internet to do so. During an enrollment, you may have all your devices receiving a suite of business-critical apps. Serving that same content locally every time may be the difference between a smooth roll-out and users standing around waiting for apps to download.

8. Do I currently integrate with an identity service or have other custom integrations?

Does your server communicate with a directory service like Microsoft’s Active Directory to host credentials and network information? If so, you need to configure that and any other areas of your ecosystem on the new MDM service. Do you have scripts that communicate with an API on an MDM solution? If so, you’ll need to make sure that scripts can be rewritten – and then go ahead and actually rewrite them. Make sure that you aren’t complicating the deployment by scripting native features, and review the most time-intensive aspects of redoing your work for the new environment. This will save you time in the long run.

9. Are there ways to speed up this process?

While Jamf promotes many over-the-air workflows, Apple Configurator can back up devices, restore devices, add manual profiles (such as those that join a wireless network) and add enrollment profiles on devices. For fans of scripting, Apple Configurator 2 supports AppleScript. For large migrations, it is worth considering the efficiencies of a configurator cart.

10. Do I need to tell my users about the switch?

Absolutely. MDM migrations benefit from clear communication to end users for several reasons. During this process, the user may see pop-ups about app licensing, and depending on your path forward, the user’s device may need to be wiped. Instead of instilling fear or worry, take this as an opportunity to empower your users and make them a part of the enrollment process whenever possible. Jamf’s focus on zero-touch deployment makes it easy to involve end users and to educate them in the functionality and value of the MDM . As long as you have been communicating about the above-listed topics (app and data retention, device wipes, etc.), you can provide your users with an amazing and fresh setup experience. Users will return to a managed environment and can use apps like Self Service to quickly re-install business-critical applications. Don’t fear the end user; empower them and use them as a resource. Many organizations have found that when employees are a part of the provisioning process, they demonstrate a more positive attitude toward management and are ultimately more successful on their devices.

Jamf can help you with the migration process

Jamf has years of experience successfully migrating customers to our MDM solutions. Whether your organization needs project orchestration or boots on the ground, Jamf can make this process painless and efficient.

While moving from one MDM provider to another may seem like an overwhelming task, you’re not alone on your journey; let us help! Our helpful MDM Migration Guide is a great place to start, and our teams can take you the rest of the way.

Ready for some first-hand experience with our solutions?

Sign up for a free trial of a Jamf MDM.

by Pieter Beckmann

Top security challenges and how to overcome them: Compliance regulations

Jamf Now

Author: March 31, 2023 by Jesus Vigo

Source: https://www.jamf.com/blog/security-compliance-regulations/

Welcome to this blog series which highlights the top security challenges organizations are facing and discusses how to overcome them. In this series of five articles, each will target a specific challenge while providing guidance on how to find the method(s) that work for you while meeting your organization’s unique needs to rise above each of the challenges.

Given each organization’s differing needs, requirements, budgetary constraints and regional location, consider the guidance provided here to be less prescriptive (i.e., you need to do this), instead, look at it as listing out the potential options available – alongside their respective strengths and weaknesses – allowing organizations and the administrative teams that support them to develop the security strategy that works best for them while still addressing the threats, attacks and concerns of the modern threat landscape that most impact their business operations, processes, users and of course, data.

Up first is governance and regulatory compliance. Specifically, this article will tackle this in a one-two-three-type of format, as follows:

  1. Why is complying with regulations important?
  2. What are some of the top global regulations?
  3. How can organizations overcome regulatory challenges?

Without further ado, let’s dive right in, shall we?

Why is complying with regulations important?

To best answer this question, let’s first look at what regulations are and why regulations exist in the first place.

reg·u·la·tion

/ˌreɡ(y)əˈlāSH(ə)n/

noun

1. a rule or directive made and maintained by an authority.

“planning regulations”

2. the action or process of regulating or being regulated.

“the regulation of financial markets”

Regarding the topic before you today, both definitions apply and organizations would do well to understand each meaning. The former refers to the rules, or in this case, laws enacted by governing authorities (like states, countries and regions) relating to a specific industry, product and/or process. The latter refers to the enforcement of these laws by their enacting authorities and how each industry that is subject to these regulations must abide by them or run the risk of being found in violation of these laws (but more on what happens if compliance is not met later).

Now that we understand what regulations are, why do they exist? They exist for different reasons depending on the particular law. But suffice it to say that regulations collectively exist to ensure that consumers of products and/or services that are covered by these laws are protected against acts that would otherwise cause harm or distress to the user. Furthermore, regulations exist to ensure that organizations that provide products and services are governed to ensure that the processes they take to carry out business operations are done so in a safe, secure manner to minimize the level of risk they expose their customers to.

So back to our primary question: Why is it important to comply with regulations? It is important because simply put: regulations exist to guide organizations on how to safely and securely provide access to sensitive or even critical products and services. At the same time, these provisions protect the users of these products and services from the undue risk that may have been avoidable, if only the proper care had been taken and due diligence had been performed by the provider.

What happens if organizations fail to comply?

As explained above, a key part of governance is guidance to ensure that processes are hardened to minimize risk. Another key part of governance is enforcement, ensuring that organizations do comply with the laws related to their industry. Consider guidance and enforcement sort of like, cause and effect, if you will.

The effect that occurs depends on whether the cause happens or does not happen. Well, in the case of compliance, the effect often comes in the form of a violation. Depending on the law that is broken, the severity of the offense, the circumstances of the incident and the fallout resulting from non-compliance, organizations can be subject to severe fines, including loss of federal or government funding, if applicable. Organizations that have been found guilty of frequent non-compliance may even find their business suspended or forced to be terminated by the governing body of the state, federal, country or region.

Additionally, individual users may be found liable for any violations and could be subject to civil and/or criminal charges if found guilty of knowingly not complying with regulations.

What are some of the top global regulations?

While certainly not exhaustive by any means, the list below represents some of the most commonly known industry regulations and their associated regions.

Finance

Education

Government

Healthcare

Consumer

Cybersecurity

It is important to note that multiple regulations may sometimes apply to an industry. As evidenced above, with an example of the finance sector and numerous US-based regulations. This does not mean that organizations get to cherry-pick which regulations they’ll adhere to, but rather provides a concrete example that businesses in the finance industry must abide by all the requirements contained within each of those regulatory bodies.

The same applies to international organizations doing business in multiple countries or regions. Regardless of where the business is headquartered, if the business is part of a regulated industry, that business is subject to the regulatory laws of every country and region in which they conduct business – even if they do not have a physical presence in those countries.

Complying with some regulations but failing to comply with others is still considered non-compliance by the country or region in which compliance has failed to be met, possibly making non-compliant businesses subject to consequences for violating the laws in those countries.

How can organizations overcome regulatory challenges?

Identifying which regulations apply to your business is the rather easy part. The difficulty comes in two waves:

  1. Determining the settings, configurations, processes and workflows that address the various bits of regulatory guidance.
  2. Enforcing each of the above to verify that endpoints, users and data are (and remain) compliant with each facet of regulation.

Ask any IT administrator that is tasked with achieving and maintaining this goal and they’ll no doubt share the challenges that are presented in this undertaking. But with the right combination of knowledge, tools and information, overcoming the challenges presented are not only possible but a considerable amount of the heavy lifting can be automated to ensure that your organization is not only mitigating risk but also has a system to remediate devices that are found to be out of compliance quickly and efficiently – with little to no impact on the end-user or business operations.

Sounds good, right? You bet it does and, in the following subsections, we’ll cover some of the tools, processes and best practices that can help your organization to do just that.

Compliance management framework

Identifying which regulation(s) pertain to your organization is the first step. Second, is to perform a risk assessment to determine the level of risk attributed to all devices, data and the criticality of business processes.

The next step is deciding upon and implementing a management framework that will significantly aid your organization – and IT and Security teams – in establishing the protocols required to achieve compliance goals.

There are several frameworks developed by different vendors but they all provide a similar goal: to help organizations meet their compliance goals through guidance on which settings and processes need to be secured in order to achieve and maintain compliance. It’s certainly not required in order to achieve compliance, but the structured format of the framework provides the key information necessary for IT and Security teams to lockdown device and application settings. In fact, some of the frameworks we highlight may already be integrated with your preferred security solutions or provides a way to integrate them for comprehensive management of devices and security. Think of it as Yin (management) and Yang (security), or a holistic IT compliance strategy.

  • National Institute of Standards and Technology (NIST): The NIST is part of the U.S. Department of Commerce and provides guidance for organizations on cybersecurity and compliance – and numerous other computer security-related topics. The documentation they provide is written by industry professionals and updated regularly to keep up with the modern threat landscape. While their publication on Security and Privacy Controls for Information Systems and Organizations (SP 800-53) is maintained, their Guide to Securing Apple macOS 10.12 Systems for IT Professionals (SP800-179) has since been deprecated and instead merged with the macOS Security Compliance Project covered later in this section.
  • Center for Internet Security (CIS): The CIS guidance for Apple macOS comes in the form of benchmarks derived from the “community consensus process and consists of secure configuration guidelines developed for Apple macOS.”, as explained by CIS themselves. Their benchmarks provide updated information on secure configurations for locking down macOSand iOS devices against cyber threats.
  • macOS Security Compliance Project (mSCP): Formally part of the NIST SP 800-179, this open source effort is hosted on GitHub, deriving its guidance as a joint project by the NIST, National Aeronautics and Space Administration (NASA), Defense Information Systems Agency (DISA), Los Alamos National Laboratory (LANL) and Jamf, culminating in NIST SP 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). The project acts as a resource for MacAdmins to “easily create customized security baselines of technical security controls by leveraging a library of atomic actions which are mapped to the compliance requirements…to meet the particular cybersecurity needs of any organization.”

Hardening configuration profiles

We won’t go into much detail in this section since which configuration profiles are to be secured will largely depend on the unique needs of your organization and which regulations it’s subject to.

That said, this section will be greatly influenced by the previous one. Namely, the framework chosen details which settings require hardening and the degree to which they should be secured as they map directly to a particular compliance benchmark.

Whether this is performed manually by MacAdmins per device or as part of an automated workflow (more on automation later) is also up to the organization. However, it is greatly recommended that the deployment of configuration profiles be managed and automated to minimize user error and achieve the greatest level of success when mitigating risk in a timely manner.

Actively monitoring for threats

Like having your finger on the pulse of what’s going on within your organization, active monitoring clues administrators into the status of the devices they’re tasked with maintaining every step of the way. If malware infects an endpoint, a user downloads a risky app or Apple releases a new update – knowing this is happening as it occurs is a key element to not only keeping endpoints compliant, but critical when it comes to triaging an issue or remediating an incident quickly as opposed to letting it linger longer than is preferred.

Apart from continuously monitoring health status (which we’ll get into in the next section), an established notification system provides real-time alerts when something deviates from the expected behavior or implemented benchmark, triggering a swift response and hopefully, equally swift resolution to an incident.

Gathering and analyzing health data

Similar to the alerts above, active monitoring also means logging all pertinent telemetry data that can be used to paint a picture of endpoint health as well as provide important clues to incident response teams.

Telemetry data can answer a plethora of questions surrounding endpoint health, compliance status and what caused it to deviate, such as:

  • Was it something the end-user introduced?
  • Did an external attack occur?
  • How was it able to slip past the device’s defenses?
  • Where did the threat come from?
  • Who (or what) was the intended target?
  • What was taken or modified during the incident?
  • Why did it happen and is it something we can protect against in the future?

This and seemingly dozens of other important questions can be answered by gathering and analyzing telemetry data to ascertain not only what happened but to build a timeline of how and when it happened. Also, it allows for comparison against other endpoints that were not impacted. What are the commonalities and differences? For example, OS version, device type or even the location of the endpoint when the incident was first detected are useful for aiding investigations.

Securely sharing telemetry data

Imagine you’re an employee of an organization that has both an IT and a Security team. You are a member of the former and after a recent incident, are tasked with deploying patches to the affected devices to ensure that the vulnerability is remediated. Only thing is, the Security team does not share the information they have on which devices were impacted nor what the vulnerability is. Let’s just say your job has just become several degrees more difficult without this critical data.

Well, the same applies to sharing telemetry data. An endpoint that generates a log of everything that occurs on the device but is stored locally on the device itself is of little use if the device belongs to a remote user. It becomes even more useless when you’re required to gather logs for hundreds or thousands of devices – all located remotely – to analyze them to gain a current understanding of the overall device security posture.

This is where integration between solutions becomes a critical ally, regardless of whether you’re part of IT or Security. Streaming logging data from each remote endpoint to a centralized repository, like your preferred SIEM solution, not only gathers all the necessary details in one easy-to-review location but the analysis of rich telemetry data is simplified by the SIEM’s built-in tooling to provide you with real-time assessment of the device security posture in just a few taps.

Integrating and extending solutions

Here we only begin to scratch the surface of integration and in a later section, how it enables automation. Sharing rich telemetry data via a supported solution’s Application Programming Interface (API), secure integration between solutions can further extend capabilities to include a number of useful administrative functionality, like:

  • advanced workflows
  • automated processes
  • policy-based management
  • triggering incident response actions
  • visualizing telemetry data and reporting
  • chaining together first- and third-party solutions
  • automated triage and remediation

Quite literally near endless possibilities depending on the solutions in use within your organization and how they’re configured, based on your unique needs. Consider the following example when Jamf Protect is integrated with Jamf Connect and Jamf Pro.

Jamf Protect detects some unusual behavior occurring on a MacBook Pro that is connected to public Wi-Fi without VPN enabled trying to access business resources. Behavioral analytics determine this action to be risky and shares the telemetry data with Jamf Pro. The latter triggers a policy that checks for the existence of a ZTNA configuration and when it does not find one, it automatically installs the configuration profile to the device. Jamf Protect rechecks the endpoint, determining the profile was installed successfully. Though an authorized user appears to be logged onto the device, they continue to try to access business resources without enabling ZTNA. This telemetry data is shared with Jamf Connect, which effectively triggers a prompt to authenticate the user account before ZTNA can be enabled to secure the connection and grant access. Without successful authentication, access to protected business resources is not granted, thereby keeping data secured from unauthorized access.

Threat remediation and incident response

In the example above, we showed a cursory method of securing network communications by checking if ZTNA is installed and enabled. If not, the integration between Jamf Protect and Jamf Pro deploys the appropriate configuration using the latter while the former verifies it’s configured properly and enables it to provide data security when accessing protected business resources.

But what if this was not the case of a ZTNA client that was needed but rather an app that is not permitted by the organization was downloaded on the endpoint? An incident response workflow could spring into action the second the app is downloaded to the device, scanning it to determine its hash value and if a successful match is found, the suspect application can be immediately removed from the endpoint while a prompt is displayed to the end-user informing them that the app is not allowed and therefore was removed to maintain compliance.

If the threat is something far worse, say a particularly nasty piece of ransomware that gets installed through an exploit on a vulnerable app, remediation workflows leveraging telemetry data and your preferred MDM can perform the following steps to clear out the infection and bring the device back into compliance quickly and with little impact to the end-user:

  1. Jamf Protect’s behavioral analytics detect the ransomware’s actions and immediately quarantine the endpoint to prevent further damage.
  2. The user is logged out and prevented from authenticating while the malware is programmatically removed from the system.
  3. After the malicious code is determined to be gone, Jamf Pro deploys the updated app to mitigate the vulnerability and the device is rebooted.
  4. Once remediated, the endpoint once again permits the end-user to authenticate and get back to being productive.

All this occurs with notifications informing the user of each step of the process so they stay informed while allowing the workflow to bring the endpoint back into compliance without further delay.

Pulling it all together with automation

Automation is key. The computing landscape has changed so drastically in recent years with global businesses migrating to remote work environments and the adoption of mobile device technology…and let’s not forget bad actors that have also evolved their attack campaigns alongside the modern threat landscape.

Simply put: there are simply too many users, relying on even more devices that are being attacked by a never-ending stream of threats – counterbalanced by too few IT and Security professionals – to possibly respond to each incident manually. Not to mention that we’re human, there are only so many hours in a given day and ultimately, attackers only need to get it right once to be successful in their attacks…IT and Security need to be right every single time.

That’s a lot of pressure, so leveraging solutions by extending workflows to include advanced automation helps MacAdmins to elevate this buildup tremendously, freeing them up to:

  • develop advanced workflows to keep devices, users and data better protected
  • turn their personal attention toward higher severity level incidents
  • ensure that endpoints are standardized to meet compliance requirements
  • work with other teams, like compliance and risk assessment, to verify that endpoints are compliant with regulatory governance
  • Work smarter, not harder by offloading repetitive or tedious tasks to minimize the risk of user error and misconfiguration

Meeting your mobile compliance needs now and into the future isn’t as simple as procuring a solution.

It requires an understanding of the risks and challenges unique to your organization + best-of-breed solutions to develop a comprehensive strategy.

by Pieter Beckmann

Do you really need Apple Business Manager?

Jamf Now

Author: March 28, 2023 by Felix Peters

Source: https://www.jamf.com/blog/do-you-really-need-apple-business-manager/

At Jamf we often hear the question, “Do I really need Apple Business Manager (ABM) to manage my Apple devices if I already have mobile device management (MDM)?” Though it depends on your current situation and what you’d like to achieve, the short answer is yes if you want to get the most from your Apple devices.

To get into the long answer, ABM not only adds useful security options and supervision possibilities, but the whole out-of-the-box user experience is unmatched. Alongside your MDM solution to fill the gaps, ABM (as well as Apple School Manager, or ASM) provides a solid set of features to make managing your fleet easier.

When do I need ABM?

For example, think about these three different scenarios in which Apple Business Manager could lend a hand:

  • You are purchasing new devices or refreshing old ones
  • You want to be prepared even if you’re not planinng a device refresh for a while
  • You are constantly increasing your company’s Apple hardware or you expect a steep increase in the near future

All three scenarios can be reasons to combine Apple Business Manager and MDM to ease IT pain points, control and remediate problems, create efficient onboarding experiences and improve end-user productivity. Apple Business Manager alone isn’t a fix-all magic wand, but it integrates useful solutions and add-ons to save time, stress and effort.

What can ABM do?

ABM is a free tool that functions as a database of your Apple purchases. It not only keeps track of devices, but also your App Store Apps and Apple IDs. Because of this, you can deploy apps to any Apple device without the need for an Apple ID or by having a Managed Apple ID on these devices (a standard Apple ID works as well).

All new devices show up in Apple Business Manager right after they are purchased so these devices can be assigned a Name, User, Groups, Apps etc., before even being shipped to your location, or even better, direct to the end user’s home. The end user can receive their new device, unpack it and start it up — all without you ever having to touch it.

For the Mac, the use of Jamf Connect can be helpful at this stage, to create a local user account based on your Identity Provider (IdP). The user will therefore have the same user credentials and password for their Mac as for every other app or resource within the company, all in sync with your IdP.

Meanwhile Apple Business Manager will have already forwarded the serial number to your MDM, and the rest is like magic. Apps, restrictions, settings, even PDFs seamlessly install while the end user logs in for the first time so they can start working right away.

Even if you are not investing in new Apple hardware right now, you can still apply for Apple Business Manager, set it up, configure it and link it to your MDM to prepare yourself for future additions to your fleet. Don’t forget that if a device gets wiped, it will always reconnect to your Apple Business Manager after reinstalling the OS and, therefore, will always be in your company’s control and equipped with the right tools.

Maybe a device has gone missing? If it is powered on and reinstalls the OS, it will automatically add itself to your MDM instance and will be under company control again.

Think about a company continuously growing their headcount, and in turn, growing their device count. With Apple Business Manager they don’t need to add every single device manually to their management system — it appears right after purchase.

Note that iOS, iPadOS and macOS devices can be added to ABM afterwards through an app called Apple Configurator. This app needs to be installed on an admin’s iPhone. This is not the preferred method, but it does help, if you want to have all your devices in ABM to ensure the same level of security and management can be applied to all company-owned devices.

So, when it comes down to it, yes, you can use a MDM tool without ABM, but you will be missing out on a ton of useful features. This is also a two-way street: you can have ABM without MDM, but then Apple Business Manager will only function as a serial number database. In summary, a combination of both will give you the best experience.

Realize you’re lacking Apple Business Manager? Reach out to your Apple representative to get things in place.

Or maybe you’ve got ABM and are looking to fully empower yourself with mobile device management?

Try setting up a trial of Jamf to see all the features in action.

by Pieter Beckmann

Your Mac admin journey from zero to hero

Jamf Now

Author: March 27, 2023 by Tim Herr

Source: https://www.jamf.com/blog/mac-admin-skills-development/

Is macOS device management a new area for you? Whether you’re just new to Mac or completely starting from scratch as an admin, there is a lot of Apple-specific knowledge that you may feel like you’ll take years to absorb. But the good news is that getting started as a Mac admin doesn’t have to be as intimidating as it might sound. We offer the resources you can use to get the basic concepts down first and then start moving into progressively more advanced techniques and tools of the trade. If you like what you see here, feel free to bookmark this page and return to it as you grow into your Mac management role.

Start learning the ropes of Mac management

There are a lot of elementary concepts to understand when you start working on device management, and if you come from a management background with non-macOS devices, you’ll already have a head start in understanding these. But no worries either way! Our handy “Mac Management for Beginnerswebinar and e-book are great resources to refer back to often in these early days, as you’re gradually starting to absorb what these fundamentals mean and how they relate to each other.

As a beginner, you’ll be learning about things such as:

  • Configuration profiles and management commands
  • Client management functions
  • Helpful Apple services and programs
  • Lifecycle management stages
    • Mac deployment and provisioning
    • Configuration management
    • App management
    • macOS inventory
    • Mac security
    • User empowerment

Mastering these basics will soon have you performing zero-touch deployments, building on native Apple security and otherwise enjoying the power and flexibility that comes with Mac management. You’ll probably be surprised at how much progress you can make in a short amount of time.

Start experimenting with scripting and automation

Were you hoping that this would be a little farther down the list? The truth is that you don’t need to worry about becoming a scripting wizard right away; even learning a few basic commands can help you to automate repetitive tasks and do your job more quickly and efficiently. Once you start reaping the benefits, you’ll likely feel motivated to further increase your scripting knowledge. Our beginning scripting guide for Apple admins and our “Scripting 101” and “Scripting 102” videos are great places to start learning Terminal syntax and useful commands so you can let automation do the tedious parts of your job for you.

Join the Mac Admins and Jamf Nation communities

No matter how detailed the documentation and training resources that you use, there are going to be times – and probably sooner rather than later – when real-world problems leave you stumped. The good news is that there are Mac admins all over the world tinkering with equivalent workflows, and it’s overwhelmingly likely that someone out there has dealt with a similar enough problem to be able to help.

The Mac Admins community started on Slack and soon added a popular podcast and a repository of popular community projects on GitHub, eventually starting a 501(c)(3) charitable organization in order to promote sustainable and equitable growth. This is a wonderful place to network with your more experienced peers and find help with navigating the unpredictable roadblocks you’ll encounter in your work. The Mac Admins Foundation also works with Apple to subsidize training and certification for aspiring admins who need financial help.

Note: Up to this point, we’ve focused on resources that will be helpful to all Mac admins, regardless of what mobile device management (MDM) solution you use to do your job. The remaining content on this page is dedicated to advanced support for Jamf admins. If you’re not already using Jamf for Mac management and you’d like to try it out, then follow the link at the bottom of this post to request a free trial!

Mac admins who use a Jamf MDM solution will find additional support in Jamf Nation, the largest peer-led community of Apple IT, security and education professionals. The perfect complement to Jamf Support, Jamf Nation can help with troubleshooting, automation and more. You can also make new friends and meet up with them either virtually or in person at our annual Jamf Nation User Conference! Once you start to really feel like part of a community, solving problems and learning new techniques can become simple, social activities.

Get to know one of the Jamf APIs

Jamf’s MDM solutions use Application Program Interfaces (APIs) to communicate with other systems, and a major benefit of using the Jamf platform is the wealth of integrations available for third-party applications and major ecosystems like Microsoft and Google. Familiarizing yourself with a Jamf API can empower you to develop more advanced management workflows. To get started, you can consult our documentation on “Which API should I use?” and proceed to the Classic API overview or Jamf Pro API overview.

As one great example, you can use Apple’s Swift programming language with the Jamf Pro API to get greater efficiency out of command-based tasks targeting managed devices. Admins who want to learn about and experiment with this connection can check out our expert blog series (Parts 1, 2, 3, 4and 5) for step-by-step instructions on unlocking new workflows.

Access specialized tools for Jamf admins

Jamf’s mission is to help organizations with Apple, but can anyone help admins with Jamf? Rocketman is a company that offers the Jamf Toolkit, a collection of scripts and documentation designed specifically to aid Jamf admins at work. With these or other scripts and tools offered by outside organizations or Mac admins you encounter online, there are many opportunities to tighten up your workflows and save time for the most important and fulfilling parts of your job.

We hope this helps you to advance in your career and face your fears as you progress from Mac management novice to seasoned pro. Check out our huge collection of online resources for more, or sign up for training if you want some extra help to hit the ground running. We believe in you!

Ready to get the most out of Mac management with Jamf?

Sign up for a free trial today!

by Pieter Beckmann